Expert
Meeting Cybersecurity Standards: From Local to Global
Dr. Peter Noordhoek, Director-Secretary of the Quality Innovation Foundation
With the introduction of the new European NIS2 directive, a new cybersecurity standard for SMEs is coming: the NIS2 Quality Mark. Dr. Peter Noordhoek, director-secretary of the Quality InnovationFoundation was at the basis of this development.
What is the basic idea behind the NIS2 Quality Mark?
Peter: ‘The NIS2 is a law that affects many companies and sectors. There
are many laws, which can be challenging for companies. Industry organizations are used to laws, standards, and quality marks. In this case, it turned out that there was a need for a translation of the law into a standard. In the Netherlands alone, an estimated 50,000 to 70,000 companies will be directly or indirectly affected by NIS2. That’s a huge number, and our challenge was to develop a standard that is not only effective but also affordable and accessible to all these companies, regardless of their size.’
How would you describe the NIS2 Quality Mark?
Peter: ‘The NIS2 Quality Mark was launched last year for the Netherlands and has now been further developed. Going international was always the plan, and now it’s happening. Dutch companies are strongly internationally oriented, and as the fifth largest export country and eighth largest import country in the world, it is essential that these companies meet the cybersecurity requirements of international partners. NIS2 Quality Mark certification helps companies demonstrably comply with cybersecurity. This is essential for our international competitive position.’
Is it gaining traction?
Peter: ‘Indeed, it’s progressing very well. We have a collaboration with
Samen Digitaal Veilig. By now, 64 industryorganizations (with a reach of more than 100,000 companies) arecommunicating this to their members as a standard. Many companies are already working on achieving it. We’re very happy about that.’
There are various levels, how does that work?
Peter: ‘In the market, there are very good, but quite heavy frameworks and standards (such as NIST, ISO27001, and NEN7510) that are suitable for large, more complex organizations. Below that, there was nothing. Now, there is. We have created three levels as a ladder to higher standards. This is possible because NIS2 is about risk, and not every company poses an equally severe risk. So there’s room for differentiation. We’ve utilized that. ENISA, the European cyber agency, opened the door a few years ago with the announcement of tiered standards for laws. This is very beneficial. We’re now reaping thebenefits of that.
The basic standard NIS2-QM10 offers companies the opportunity to start with a basic level of security. This standard is at the same level as what the NCSC has on their website and helps companies immediately get started with the first crucial steps.
NIS2 includes the obligation to secure the supply chain. So NIS2 organizations must check their suppliers if there is a risk. Low risk? Then a low standard is sufficient. More risk, such as with IT companies, then companies can, depending on their risk profile and needs, grow to QM20 and QM30. This tiered model is deliberately designed to be scalable and flexible, so that both small and larger companies can implement it. This significantly lowers the threshold to start with cybersecurity.
What’s important is that we don’t want companies to see certification as the end goal. The goal is for companies to actually become and remain safe. Certification is just a means to achieve that goal.’
What are the main advantages of the NIS2 Quality Mark?
Peter: ‘The biggest advantage is the simplicity and comprehensibility of the standard. Additionally, the standard can be downloaded free of charge from our website. We’ve created a structure that companies can quickly implement, without getting stuck in complex certification processes that cost a lot of time and money.
Moreover, our model is scalable. This tiered model is suitable for both small and large companies. We also prevent duplication in the application of standards: for each standard, it’s described where it touches other standards. If that standard has already been tested, it doesn’t need to be done again with us. We don’t want to impose double work. That would only frustrate.’
How does this standard support companies internationally?
Peter: ‘The standard not only helps companies comply with the new European
legislation and regulations but also allow SMEs to collaborate with their foreign customers and suppliers. The requirements from NIS2 regarding the supply chain are crystal clear. Companies must comply with these to continue doing business. With the NIS2 Quality Mark, we ensure that Dutch companies are ready to meet the cybersecurity requirements of their international partners.’